I'm evaluating SecureBlackbox for the purpose of protecting SSL communication (HTTPS) between Windows Phone client and the server against MitM attacks.

My initial attempts were similar to this thread (https://www.eldos.com/forum/read.php?FID=7&TID=3994&MID=22013&sphrase_id=450502#message22013) - to validate certificate before initiating the connection, but I got stuck on getting the CA certificate.

I was able to capture server certificates on OnCertificateValidate event and store them to file (TElMemoryCertStorage.SaveToBufferPKCS7 and successfully restore the storage later when needed (). However, I'm getting the same validation error (reason 32) and the last part of the answer is somewhat unclear to me (using TElWinCertStorage) - should I be capturing all certificates of Windows (desktop) and carry them over to Windows Phone?

Is there any better/more recommended way of protecting against MitM attacks on WP using SecureBlackbox or would this be the right approach? The simplest example I need to protect from is setting Fiddler as a proxy on WP and install its certificate to decrypt HTTPS traffic.

Thank you, I've now managed to validate certificates in OnCertificateValidate event (by using a missing Root certificate AND setting validator's CheckCRL and CheckOCSP properties to false.

However... setting phone proxy to PC where Fiddler is listening shows the same result, all validation is passing without Fiddler certificate showing anywhere in the chain (as it does in the browser). Any idea of what I may be doing wrong?

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.